Hi!
Quite some tima ago a have seen Spams with a (obviously bogus) "---BEGIN
PGP SIGNATURE---" + garbage part at the end of the mails.
This might have had negative influence on some Bayesian databases.
Apart from creating a special Spamassassin module which actually
verifies incoming emails, I
On Thu, Oct 18, 2007 at 11:56:59PM -0400, Jason Harris wrote:
> On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote:
> > Probably true, but how will spammers get signatures on their stuff that
> > are valid *for me*? They would have to compromise one of the keys that
> > are valid on my keyr
You advocate a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular
idea, and it may have other flaws which used to vary from state to
state before a b
On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote:
> Probably true, but how will spammers get signatures on their stuff that
> are valid *for me*? They would have to compromise one of the keys that
> are valid on my keyring or one that would be considered trustworthy by
> means of the web
Ryan Malayter wrote:
> Why wouldn't you set up a test lab with the Microsoft products as
> well?
It's a hypothetical. There do exist vendors that are infamously stingy
with evaluation versions and heavily rely on "trust us".
___
Gnupg-users mailing l
On 10/18/07, Robert J. Hansen <[EMAIL PROTECTED]> wrote:
> With proprietary software, you're mostly stuck relying on your vendor
> for information. Compare "Microsoft says that IIS will scale up to our
> server load with our current server configuration" to "the Apache
> Foundation isn't making an
reynt0 wrote:
> Are there refined answers available to the question
Yes.
When giving a software evaluation, you always specify sources and
methods. Each and every assertion needs a source and a method: who is
your source, and how does your source know this?
With proprietary software, you're mos
On Wed, 17 Oct 2007, Robert J. Hansen wrote:
. . .
> For a look at the problems in the University of Iowa student government
> elections, take a look at:
>
> http://cs.uiowa.edu/~rjhansen/UISG.pdf
>
> After delivering this report to Student Government, their response was
> to bury it, never
On Tue, 16 Oct 2007, Robert J. Hansen wrote:
. . .
> Vote-from-home over the internet is probably going to happen sooner or
> later in some jurisdiction, if only because it is possible for a vendor
. . .
IIRC there was a Technische Universitaet or similar in
Austria a while ago that was going
reynt0 wrote:
> IIRC there was a Technische Universitaet or similar in
> Austria a while ago that was going to do some student
> elections by internet.
A lot of institutions are doing this nowadays. I expect most
universities to go this way within the next few years--and once
university students
Hi!
Robert J. Hansen schrieb:
> So, what, the plan then is to discard any message that's signed by an
> unknown or untrusted key?
> (...)
> So _more_ valid OpenPGP data gets discarded? This plan gets better and
> better.
The plan was not to discard anything, but *deny the bonus* in some cases
whe
Hi!
Robert J. Hansen schrieb:
> The instant spammers figure they can sneak past SpamAssassin a
> fractional bit more by having a good PGP signature, we're going to see
> an explosion of PGP/MIME.
Probably true, but how will spammers get signatures on their stuff that
are valid *for me*? They would
Sven Radde wrote:
> Probably true, but how will spammers get signatures on their stuff that
> are valid *for me*?
So, what, the plan then is to discard any message that's signed by an
unknown or untrusted key? Or consider that to be a spam indicator?
These cures are just as lousy as the disease.
At 16:32 2007-10-15, Werner Koch wrote:
>On Mon, 15 Oct 2007 13:26, [EMAIL PROTECTED] said:
>
>> The real solution would be for SpamAssasin to check that the PGP
>> messages are well-formed, and verify signatures on any PGP message
>> before altering its score. A tad CPU intensive, I think, an
gabriel rosenkoetter wrote:
> It's still a worthwhile check, assuming an appropriately weighted
> system (valid PGP signatures don't necessarily mean I want to read
> the email, so it's worth a few points, but definitely a less-than-1
> fraction of my "not spam, deliver it" number). Given that the
At 2007-10-15 06:26 -0500, Ryan Malayter <[EMAIL PROTECTED]> wrote:
> The real solution would be for SpamAssasin to check that the PGP
> messages are well-formed, and verify signatures on any PGP message
> before altering its score. A tad CPU intensive, I think, and it poses
> a host of key managem
[EMAIL PROTECTED] wrote:
> And therein is the issue. A year ago, I wrote an editorial where I
> made a semi-numeric mostly educated guess that 15-30% of all
> home/private systems were already compromised. I got some hate mail
> but in the intervening months, Vint Cert said 40%, Microsoft said
>
Werner Koch writes:
|
| > If the system is compromised, you cannot be sure of the
| > authenticity of messages coming from there, can you?
|
| Right.
|
And therein is the issue. A year ago, I wrote an
editorial where I made a semi-numeric mostly educated
guess that 15-30% of all home/p
On Tue, 16 Oct 2007 07:46, [EMAIL PROTECTED] said:
> Just out of curiosity: Does this (or, rather: should this) have
> implications for your trust of the signer's key?
Well I assume that this guy keeps his primary key offline and thus
malware would not be able to let him sign other keys ;-)
> If
Sven Radde wrote:
> Just out of curiosity: Does this (or, rather: should this) have
> implications for your trust of the signer's key?
There are two schools of thought on this.
1. "Beats me. You get to define your policy, not me."
2. "If this guy's control of his keys and passphrase is so poo
Hi!
Werner Koch schrieb:
> FWIW, a few weeks ago I received the first PGP signed spam. The
> signature was good and I believe that it was sent using a trojan
> utilizing the local MUA which was configured to sign all outgoing mail.
Just out of curiosity: Does this (or, rather: should this) have
gative score to signed emails. See
http://search.cpan.org/perldoc?Mail::SpamAssassin::Plugin::OpenPGP I am
using it myself, but it is not complete and I wouldn't recommend using it in
production environment without some good testing. And patches for it,
probably :)
--
View this message in
On Mon, 15 Oct 2007 13:26, [EMAIL PROTECTED] said:
> The real solution would be for SpamAssasin to check that the PGP
> messages are well-formed, and verify signatures on any PGP message
> before altering its score. A tad CPU intensive, I think, and it poses
FWIW, a few weeks ago I received the f
On 10/15/07, gabriel rosenkoetter <[EMAIL PROTECTED]> wrote:
> It's up o the site administrator to make use of SA rules that aren't
> braindamaged. It's hardly the fault of the authors of SA if some
> site decides to add 2.5 points to every message with a MIME
> attachment, though you can, perhaps,
At 2007-10-13 19:52 -0700, Doug Barton <[EMAIL PROTECTED]> wrote:
> Has anyone tried contacting the SA developers about this? It seems like
> something fairly straightforward for them to add.
"The SA developers" is a misconceived phrase here.
You're interested in the party who wrote widely desse
On Tue, 9 Oct 2007, Adam Schreiber wrote:
> When my university was using SpamAssassin, GPG emails were being
> marked as spam because patterns were being matched by the armored text
> and no negative bonus was being given to GPG signed or encrypted
> messages. They were not willing to tweak their
When my university was using SpamAssassin, GPG emails were being
marked as spam because patterns were being matched by the armored text
and no negative bonus was being given to GPG signed or encrypted
messages. They were not willing to tweak their rules.
Adam Schreiber
On 10/9/07, Robert J. Hans
I just received word from one of my regular correspondents that his
email server has begun flagging PGP traffic as spam. I haven't seen
this come up often (ever?) in the lists before, so I'm operating on the
assumption that this may be a new problem people should be aware of.
SpamAssassin is givi
28 matches
Mail list logo
